trickbot | 31e7c98658f969087b1b8c9dd16beda32e1abdb48fd6f5e2d6a335a053b4c7c5 | Triage

Submit
Reports

Overview

overview

Static

static

statistics.07.21.doc

windows7_x64

1

statistics.07.21.doc

windows10_x64

Sharing

General

Target

statistics.07.21.doc
Size

55KB
Sample

210709-w3gay8ez3s
MD5

532a70b103c45dc83ea5bdfd6ea80854
SHA1

f8d2c0746d20dd4014ba8ec4a14429a51273c76c
SHA256

31e7c98658f969087b1b8c9dd16beda32e1abdb48fd6f5e2d6a335a053b4c7c5
SHA512

d376557e7fdbc23d54d3987689a812ca943c9ef623adf5b02d11015b6dd38ff5109e25da8fb993154d4a76d275c1355e1420471fad9e90b2e70fe46961bbe5f8

Score

10^/10

trickbot zev1 banker spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

statistics.07.21.doc

Resource

win7v20210410

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

statistics.07.21.doc

Resource

win10v20210408

trickbot zev1 banker spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

181.114.215.239:443

113.160.132.237:443

105.30.26.50:443

202.165.47.106:443

103.122.228.44:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Targets

- Target
  
  statistics.07.21.doc
- Size
  
  55KB
- MD5
  
  532a70b103c45dc83ea5bdfd6ea80854
- SHA1
  
  f8d2c0746d20dd4014ba8ec4a14429a51273c76c
- SHA256
  
  31e7c98658f969087b1b8c9dd16beda32e1abdb48fd6f5e2d6a335a053b4c7c5
- SHA512
  
  d376557e7fdbc23d54d3987689a812ca943c9ef623adf5b02d11015b6dd38ff5109e25da8fb993154d4a76d275c1355e1420471fad9e90b2e70fe46961bbe5f8
Score

10^/10

trickbot zev1 banker spyware stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

trickbotzev1bankerspywarestealertrojan

© 2018-2024

Terms | Privacy